In [24]:
# 690e25b4-8c5e-4a10-a32e-523da88a4c99 is my demo tenant
$TenantId = '690e25b4-8c5e-4a10-a32e-523da88a4c99' #"<TENANT_ID>"
$SubscriptionId = 'b9334351-cec8-405d-8358-51846fa2a3ab'

. "..\src\functions.ps1"

try{
    $null = Set-AzContext -TenantId $TenantId -SubscriptionId $SubscriptionId -ErrorAction Stop
}
catch{
    $null = Connect-AzAccount -TenantId $TenantId
}

Get-AzSubscription -TenantId $TenantId | Select-Object -Property Name, Id


[32;1mName                   Id[0m
[32;1m----                   --[0m
PAYG                   571cdf6c-7f34-4f95-b66d-1cb05b0fae5b
Visual Studio VENZO 1  b9334351-cec8-405d-8358-51846fa2a3ab
Visual Studio VENZO 2  ddc12ba0-8cd6-4df1-addb-a9a9f67e236c
Visual Studio APENTO 1 f13a55a2-5dc2-445c-bed1-8d980d58d892
Visual Studio APENTO 2 1d57e5e2-41ef-4909-8f04-657c0b69a276



# Subnets should have an NSG associated

Below shows subnets with no NSG associated. Delegated subnets are less important to protect using NSGs, but should still be so if at all possible.

In [25]:
$Query = @"
resources
| where type == "microsoft.network/virtualnetworks"
| mvexpand subnets = properties.subnets
| extend Delegated = iif(array_length(subnets.properties.delegations) == 0, "no", "yes")
| where isempty(subnets.properties.networkSecurityGroup)
| project ["VNET Name"] = name, ["Subnet Name"] = subnets.name, Delegated, id = subnets.id
"@

Search-AzGraph -Query $Query -UseTenantScope | Select-Object -ExpandProperty Data | Select-Object -ExcludeProperty ResourceId | Format-Table -AutoSize


[32;1mVNET Name             Subnet Name Delegated id[0m
[32;1m---------             ----------- --------- --[0m
arc-host-vnet         NAT         no        /subscriptions/ddc12ba0-8cd6-4df1-addb-a9a9f67e236c/re…
arc-host-vnet         LAN         no        /subscriptions/ddc12ba0-8cd6-4df1-addb-a9a9f67e236c/re…
desktop01-vnet        default     no        /subscriptions/f13a55a2-5dc2-445c-bed1-8d980d58d892/re…
stweaznfs_vNet6006880 default     no        /subscriptions/b9334351-cec8-405d-8358-51846fa2a3ab/re…



# NSG Deny All Rule

All subnets should have a deny all rule ("deny by default, permit by exception" approach). This can be implemented with a priority of 4096 (last rule evaluated always), which counters some of the default rules that ex. allows VNET to VNET (traffic tagged as VNET).

Below outputs the NSGs without such a rule.

In [26]:
<#
powershell:
find NSGs with a "deny all" rule. as azgraph does not support antijoins we will have to find the NSGs that does NOT have such a rule
#>
$Query = @"
resources
| where type == "microsoft.network/networksecuritygroups"
| extend p = todynamic(properties.securityRules)
| mvexpand p
| where p.properties.access == "Deny" and p.properties.direction == "Inbound" and p.properties.destinationPortRange == '*' and p.properties.sourceAddressPrefix == '*'
| extend nsg_id = substring(p.id, 0, strlen(p.id) - strlen(strcat('/securityRules/',p.name)))
| join (
	resources
	| where type == "microsoft.network/networksecuritygroups"
	| project name, nsg_id = id
) on nsg_id
| project name, nsg_id
"@
[array]$NSGsWithDenyAllRule = @(Search-AzGraph -Query $Query -UseTenantScope)
# we also need all NSG IDs
$Query = @"
resources
| where type == "microsoft.network/networksecuritygroups"
| project name, nsg_id = id
"@
#
[array]$NSGs = Search-AzGraph -Query $Query -UseTenantScope
# and finally we can compare and find which NSGs does not have such a rule
Compare-Object -ReferenceObject $NSGs -DifferenceObject $NSGsWithDenyAllRule -Property nsg_id -PassThru | Select-Object name, @{name='id';expression={$_.nsg_id}}



[32;1mname             id[0m
[32;1m----             --[0m
                 
nsg-insecure-01  /subscriptions/b9334351-cec8-405d-8358-51846fa2a3ab/resourceGroups/rg-insecure-st…
nsg-withflowlogs /subscriptions/b9334351-cec8-405d-8358-51846fa2a3ab/resourceGroups/rg-network/pro…
archost01-nsg    /subscriptions/ddc12ba0-8cd6-4df1-addb-a9a9f67e236c/resourceGroups/rg-arc-host/pr…
desktop01-nsg    /subscriptions/f13a55a2-5dc2-445c-bed1-8d980d58d892/resourceGroups/rg-desktop/pro…



# Open Management Ports

Below query identifies NSG rules that expose management ports to the Internet. It will not find obscure rules like allowing *3380-3390*.

Expose your Virtual Machines using Azure Bastion or other similar service. Avoid exposing VMs directly to the Internet.

In [27]:
# check for open management ports
$Query = @"
resources
| where type == "microsoft.network/networksecuritygroups"
| extend p = todynamic(properties.securityRules)
| mvexpand p
| extend destinationPortRange = p.properties.destinationPortRange
| extend destinationPortRanges = p.properties.destinationPortRanges
| extend sourceAddressPrefix = p.properties.sourceAddressPrefix
| extend access = p.properties.access
| extend direction = p.properties.direction
| where access == "Allow" and direction == "Inbound" 
| where destinationPortRange contains "22" or destinationPortRange contains "3389" or destinationPortRanges has "22" or destinationPortRanges has "3389"
| where sourceAddressPrefix == '*' or sourceAddressPrefix == 'Internet'
| extend port = strcat(destinationPortRange, iff(array_length( destinationPortRanges) == 0, '', destinationPortRanges))
| extend nsg_id = substring(p.id, 0, strlen(p.id) - strlen(strcat('/securityRules/',p.name)))
| join kind=inner (
	resources
	| where type == "microsoft.network/networksecuritygroups"
	| project name, nsg_id = id
) on nsg_id
| project ["NSG rule name"] = p.name, ["Exposed port"] = port, ["NSG name"] = name, id = nsg_id
"@
(Search-AzGraph -Query $Query -UseTenantScope).Data | Select-Object -ExcludeProperty ResourceId


[32;1mNSG rule name  Exposed port  NSG name        id[0m
[32;1m-------------  ------------  --------        --[0m
Internet223389 ["22","3389"] nsg-insecure-01 /subscriptions/b9334351-cec8-405d-8358-51846fa2a3ab/r…
Internet3389   3389          nsg-insecure-01 /subscriptions/b9334351-cec8-405d-8358-51846fa2a3ab/r…
Internet22     22            nsg-insecure-01 /subscriptions/b9334351-cec8-405d-8358-51846fa2a3ab/r…



# NSG Flow Logs

Network Security Groups should have flow logs enabled.

A more recent alternative (preview) is Virtual Network Flow Logs. This gives more insight into network traffic flows, but obviously does not tell you what an NSG blocked or allowed.

Best practice is to enforce NSG Flow Logs using Azure Policies.

Below will show Network Security Groups without flow logs enabled.

In [28]:
# 
$Query = @"
resources
| where type =~ "microsoft.network/networkwatchers/flowlogs"
| where properties.enabled == true
| extend nsg_id = tostring(properties.targetResourceId)
| extend flowAnalytics = properties.flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled
| project nsg_id, flowAnalytics
| join(
    resources
    | where type =~ "microsoft.network/networksecuritygroups"
    | mvexpand subnet = parse_json(properties.subnets)
    | project nsg_id = tostring(id), name, subnet
    ) on nsg_id
| project Name = name, ["Subnet"] = subnet["id"], ['Flow analytics enabled'] = flowAnalytics, nsg_id
"@
[array]$NSGsWithFlowLogs = (Search-AzGraph -Query $Query -UseTenantScope).Data | Select-Object -ExcludeProperty ResourceId

# we also need all NSG IDs
$Query = @"
resources
| where type == "microsoft.network/networksecuritygroups"
| project name, nsg_id = id
"@
#
[array]$NSGs = Search-AzGraph -Query $Query -UseTenantScope
# and finally we can compare and find which NSGs does not have such a rule
Compare-Object -ReferenceObject $NSGs -DifferenceObject $NSGsWithFlowLogs -Property nsg_id -PassThru | Select-Object name, @{name='id';expression={$_.nsg_id}}


[32;1mname            id[0m
[32;1m----            --[0m
nsg-insecure-01 /subscriptions/b9334351-cec8-405d-8358-51846fa2a3ab/resourceGroups/rg-insecure-stu…
archost01-nsg   /subscriptions/ddc12ba0-8cd6-4df1-addb-a9a9f67e236c/resourceGroups/rg-arc-host/pro…
desktop01-nsg   /subscriptions/f13a55a2-5dc2-445c-bed1-8d980d58d892/resourceGroups/rg-desktop/prov…

